Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 6 months ago by eveli.
-
AuthorPosts
-
floOoParticipant
Hi, I just added the above code for login protection (the function requiring to type
?mySecretString=foobar
after wp-login.php) but now I cannot log in anymore… I tried the following URLs afterhttp://example.com
(which I replaced with my actual website URL) :/wp-login.php?mySecretString=foobar
I always get redirected to my website root (say,
http://example.com/
) as if the query string was not matched.I added the function directly copy-pasted into functions.php, just before the final
?>
. What did I do wrong?—– EDIT:
Sorry, I solved my problem already: the problem was the WordPress is automatically redirected in a sub-directory… so I had to replace the line:
$theRequest = 'http://' . $_SERVER['SERVER_NAME'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING']; by the line: $theRequest = 'http://' . $_SERVER['SERVER_NAME'] . '/myWordPressSubDirectory/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING'];
And now it works great, Thanks! 🙂
nhaskellParticipantI’ve read through the directions you’ve provided and I tried to update the custom content brute login field with the following content…
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from http://websitename.com # Add your website/Server IP Address Allow from website server address # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 71.233.64 </FilesMatch>
Whenever I try to save the page I receive an error that states..
403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
Any ideas?I have yet to purchase the pro version. Would this be what is triggering it?
AITpro AdminKeymasterThe
Allow
andDeny
directives let you allow and deny access based on the host name, or host address, of the machine requesting a document. TheOrder
directive goes hand-in-hand with these two, and tells Apache in which order to apply the filters.http://httpd.apache.org/docs/2.2/howto/access.html
Allow from http://websitename.com
Allow from websitename.com would be valid. Allow from
http://websitename.com
is not valid.hcri50Participant[Topic has been merged into this relevant Topic]
How can I restrict access to the admin area by my IP Address Only. I am sure that I saw this somewhere, Can someone please tell me if I am correct on this??
AITpro AdminKeymaster@ hcri50 – you would use the IP based Brute Force Login page protection code in this Forum Topic. Your Login page and wp-admin folder are pretty much the same thing. ie in order to get into wp-admin you need to Login.
AITpro AdminKeymaster[Topic manually merged to this relevant Topic]
I have looked on my hosts website who suggest How to Password Protect Your WordPress (wp-admin) Directory as well as wp-login.php?(cPanel)
https://www.eukhost.com/forums/f38/how-password-protect-your-wordpress-wp-admin-directory-well-wp-login-php-cpanel-19534/
I can’t use brute force protect on my sites, but use BPS login protection limit 3 attempts
I also use a captchaIs it worth me using above method?
ThanksAITpro AdminKeymasterThat would be a personal choice that is up to you. If you do not want to allow anyone else to login to your website then you can use Directory Password Protection.
paulppParticipantOk Thank you.
When i activate this, it adds to my default admin htaccessErrorDocument 401 default AuthType Basic AuthName "Secure Area" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
[all other code removed as it is not relevant to adding wp-admin folder/Login page password protection]
AITpro AdminKeymasterYou would add ONLY your default admin htaccess code to this BPS wp-admin Custom Code text box: CUSTOM CODE WPADMIN TOP:
Add wp-admin password protection, IP whitelist allow access & miscellaneous custom code here
You do not need to add the FilesMatch condition for wp-login.php. ie in order to login to your website someone would be accessing your wp-admin folder. The WordPress Login page redirects into the wp-admin folder. The Directory Password Protection prompts for a password since the wp-admin directory is password protected. After adding your wp-admin directory protection code click the Save wp-admin Custom Code button and activate wp-admin BulletProof Mode.paulppParticipant# BEGIN CUSTOM CODE WPADMIN TOP # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently. ErrorDocument 401 default AuthType Basic AuthName "Secure Area" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user # END CUSTOM CODE WPADMIN TOP
Like so then activate.
AITpro AdminKeymasterwp-admin htaccess File Custom Code Steps
1. Enter your custom code in the appropriate wp-admin Custom Code text box.
2. Click the Save wp-admin Custom Code button to save your wp-admin custom code.
3. Go to the BPS Security Modes page and click the wp-admin Folder BulletProof Mode Activate button.paulppParticipantThanks, all fine on one site, another just gives loop redirects, so i,ll get in touch with hosting don’t think it is there suggestion ErrorDocument 401 default
paulppParticipantSee my mistake, using this code no need to use Cpanel, it auto generates it for me.
AITpro AdminKeymaster[Topic manually moved to this relevant Topic]
Hello,
I have problems with code:
# BRUTE FORCE LOGIN PAGE PROTECTION # Protects the Login page from SpamBots, HackerBots & Proxies # that use Server Protocol HTTP/1.0 or a blank User Agent RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ - [F,L]
This code block me from WP login page access. I receive 403 error. I’m using ServerPilot and DigitalOcean VPS and I contacted ServerPilot support and they said this: It won’t work to block HTTP/1.0 requests. So, you should replace these three lines:
RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ with this one line: RewriteCond %{HTTP_USER_AGENT} ^$
What do you think? Is it ok to replace this three lines with this one?
AITpro AdminKeymasterThis Bonus Custom Code does not work on some servers so if you are seeing a 403 error then unfortunately you cannot use this code on your particular server.
-
AuthorPosts
- You must be logged in to reply to this topic.